Secure Programming for Linux and Unix HOWTO

David A. Wheeler

Table of Contents

Introduction

Background

History of Unix, Linux, and Open Source / Free Software

Unix
Free Software Foundation
Linux
Open Source / Free Software
Comparing Linux and Unix

Security Principles

Why do Programmers Write Insecure Code?

Is Open Source Good for Security?

Types of Secure Programs

Paranoia is a Virtue

Why Did I Write This Document?

Sources of Design and Implementation Guidelines

Other Sources of Security Information

Document Conventions

Summary of Linux and Unix Security Features

Processes

Process Attributes
POSIX Capabilities
Process Creation and Manipulation

Files

Filesystem Object Attributes
Creation Time Initial Values
Changing Access Control Attributes
Using Access Control Attributes
Filesystem Hierarchy

System V IPC

Sockets and Network Connections

Signals

Quotas and Limits

Dynamically Linked Libraries

Audit

PAM

Specialized Security Extensions for Unix-like Systems

Validate All Input

Command line

Environment Variables

Some Environment Variables are Dangerous
Environment Variable Storage Format is Dangerous
The Solution - Extract and Erase

File Descriptors

File Contents

Web-Based Application Inputs (Especially CGI Scripts)

Other Inputs

Human Language (Locale) Selection

How Locales are Selected
Locale Support Mechanisms
Legal Values
Bottom Line

Character Encoding

Introduction to Character Encoding
Introduction to UTF-8
UTF-8 Security Issues
UTF-8 Legal Values
UTF-8 Illegal Values
UTF-8 Related Issues

Prevent Cross-site Malicious Content on Input

Filter HTML/URIs That May Be Re-presented

Remove or Forbid Some HTML Data
Encoding HTML Data
Validating HTML Data
Validating Hypertext Links (URIs/URLs)
Other HTML tags
Related Issues

Forbid HTTP GET To Perform Non-Queries

Limit Valid Input Time and Load Level

Avoid Buffer Overflow

Dangers in C/C++

Library Solutions in C/C++

Standard C Library Solution
Static and Dynamically Allocated Buffers
strlcpy and strlcat
libmib
C++ std::string class
Libsafe
Other Libraries

Compilation Solutions in C/C++

Other Languages

Structure Program Internals and Approach

Follow Good Software Engineering Principles for Secure Programs

Secure the Interface

Minimize Privileges

Minimize the Privileges Granted
Minimize the Time the Privilege Can Be Used
Minimize the Time the Privilege is Active
Minimize the Modules Granted the Privilege
Consider Using FSUID To Limit Privileges
Consider Using Chroot to Minimize Available Files
Consider Minimizing the Accessible Data
Consider Minimizing the Resources Available

Avoid Creating Setuid/Setgid Scripts

Configure Safely and Use Safe Defaults

Load Initialization Values Safely

Fail Safe

Avoid Race Conditions

Sequencing (Non-Atomic) Problems
Locking

Trust Only Trustworthy Channels

Set up a Trusted Path

Use Internal Consistency-Checking Code

Self-limit Resources

Prevent Cross-Site Malicious Content

Explanation of the Problem
Solutions to Cross-Site Malicious Content

Be Careful with Data Types

Carefully Call Out to Other Resources

Call Only Safe Library Routines
Limit Call-outs to Valid Values
Call Only Interfaces Intended for Programmers
Check All System Call Returns
Avoid Using vfork(2)
Counter Web Bugs When Retrieving Embedded Content
Hide Sensitive Information

Send Information Back Judiciously

Minimize Feedback
Don't Include Comments
Handle Full/Unresponsive Output
Control Data Formatting (``Format Strings'')
Control Character Encoding in Output
Prevent Include/Configuration File Access

Language-Specific Issues

C/C++
Perl
Python
Shell Scripting Languages (sh and csh Derivatives)
Ada
Java
TCL
PHP

Special Topics

Passwords

Authenticating on the Web

Authenticating on the Web: Logging In
Authenticating on the Web: Subsequent Actions
Authenticating on the Web: Logging Out

Random Numbers

Specially Protect Secrets (Passwords and Keys) in User Memory

Cryptographic Algorithms and Protocols

Cryptographic Protocols
Symmetric Key Encryption Algorithms
Public Key Algorithms
Cryptographic Hash Algorithms
Integrity Checking
Other Cryptographic Issues

Using PAM

Tools

Windows CE

Write Audit Records

About the Documentation License

GNU Free Documentation License

Endorsements

About the Author

		Next >>>
		Introduction